On 2024-12-13 17:07, James Bottomley wrote:
On Fri, 2024-12-13 at 12:59 +0000, andrewg via Gnupg-devel wrote:
Fault attacks require the generation of multiple signatures over the
same message digest. With an unsalted signature, it is sufficient to
induce a victim to sign the same message twice with the same
timestamp. With a salted signature, it is vanishingly improbable that
the same digest will ever be produced.
Hey, that's a bit misleading.
Sorry, I did gloss over a lot of detail...
For Elliptic Curves a distinct nonce is
a required part of the signature scheme and the weakness is that if two
different messages are ever signed by the same key using the *same*
nonce then the private key can be mathematically recovered.
Sure, but in deterministic ECC signature schemes the nonce is calculated
from the message. In OpenPGP, the ECC "message" is the OpenPGP digest,
so adding a salt to the digest ensures that both the nonce and the
message are unique for every signature.
However, while the faulted message attack sounds more
plausible the same signature faulted second message is only achievable
in a limited timeframe, the timespan for pulling off a faulted rng
attack is the key lifetime, giving a determined attacker much more
leeway to produce an identical nonce.
In OpenPGP all signatures contain a timestamp, so even if a determined
attacker was able to generate a large number of signatures using a
faulty RNG, the timestamp field would keep incrementing. The attacker
would need to either force a duplicate salt within ~1s, or find a hash
collision.
A
_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-devel
